Difference between revisions of "OpenSSH"
(→Basic) |
|||
(26 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | '''[[wikipedia:OpenSSH|OpenSSH]]''' is a popular suite of software utilities implementing [[Secure Shell]] (SSH) protocol. OpenSSH includes the ability to set up a [[TCP]] secured channel and it is widely use as a replacement for not secured [[telnet]] and secure replacement of file transfers such as rcp and ftp. OpenSSH offers a great number of features including ssh session multiplexing. | + | '''[[wikipedia:OpenSSH|OpenSSH]]''' is a popular suite of software utilities implementing [[Secure Shell]] (SSH) protocol. OpenSSH includes the ability to set up a [[TCP]] secured channel and it is widely use as a replacement for not secured [[telnet]] and secure replacement of file transfers such as rcp and ftp. OpenSSH offers a great number of features including ssh [[session multiplexing]]. |
<ref>https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing</ref><ref>https://stackoverflow.com/questions/20410252/how-to-reuse-an-ssh-connection</ref> | <ref>https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing</ref><ref>https://stackoverflow.com/questions/20410252/how-to-reuse-an-ssh-connection</ref> | ||
The OpenSSH suite includes the following command-line utilities and daemons: | The OpenSSH suite includes the following command-line utilities and daemons: | ||
− | * <code>[[ssh (OpenSSH client)|ssh]]</code>, ssh client and TCP secure replacement for | + | * <code>[[ssh (OpenSSH client)|ssh]]</code>, [[ssh client]] and TCP secure replacement for <code>[[rlogin]]</code>, <code>[[rsh]]</code> and <code>[[telnet]]</code> to allow shell access to a remote machine. |
* <code>[[scp]]</code>, a replacement for <code>[[rcp]]</code> | * <code>[[scp]]</code>, a replacement for <code>[[rcp]]</code> | ||
* <code>sftp</code>, a replacement for <code>[[ftp]]</code> to copy files between computers | * <code>sftp</code>, a replacement for <code>[[ftp]]</code> to copy files between computers | ||
* <code>[[sshd]]</code>, the SSH server daemon which allows shell access and file transfers to a remote machine. | * <code>[[sshd]]</code>, the SSH server daemon which allows shell access and file transfers to a remote machine. | ||
* <code>[[ssh-keygen]]</code>, a tool to inspect and generate the RSA, DSA and Elliptic Curve keys that are used for user and host authentication | * <code>[[ssh-keygen]]</code>, a tool to inspect and generate the RSA, DSA and Elliptic Curve keys that are used for user and host authentication | ||
+ | * <code>[[ssh-keyscan]]</code>, which scans a list of hosts and collects their public keys | ||
* <code>[[ssh-agent]]</code> and <code>[[ssh-add]]</code>, utilities to ease authentication by holding keys ready and avoid the need to enter passphrases every time they are used | * <code>[[ssh-agent]]</code> and <code>[[ssh-add]]</code>, utilities to ease authentication by holding keys ready and avoid the need to enter passphrases every time they are used | ||
− | |||
* <code>[[ssh-copy-id]]</code>, copy local keys to remote machine. | * <code>[[ssh-copy-id]]</code>, copy local keys to remote machine. | ||
Line 16: | Line 16: | ||
* [[Wikibooks: OpenSSH]] | * [[Wikibooks: OpenSSH]] | ||
* [[OpenSSH changelog]] | * [[OpenSSH changelog]] | ||
+ | |||
+ | == Config == | ||
+ | * Client: <code>[[/etc/ssh/ssh_config]]</code> or <code>~./[[config]]</code> | ||
+ | * Server: <code>[[/etc/ssh/sshd_config]]</code> | ||
== ssh clients == | == ssh clients == | ||
− | OpenSSH includes an ssh client:<code>[[ssh]]</code>. Others clients are available such us <code> | + | OpenSSH includes an ssh client:<code>[[ssh]]</code>. Others clients are available such us <code>[[PuTTY]]</code>, <code>mosh</code>, <code>paramiko</code> and <code>autossh</code><ref>https://linux.die.net/man/1/autossh</ref>. |
<code>autossh</code><ref>https://linux.die.net/man/1/autossh</ref> main feature not include in OpenSSH ssh client is the capability to monitor an ssh connection and restart it if necessary. | <code>autossh</code><ref>https://linux.die.net/man/1/autossh</ref> main feature not include in OpenSSH ssh client is the capability to monitor an ssh connection and restart it if necessary. | ||
− | * Loop waiting to connect to server: <code>AUTOSSH_POLL=5 AUTOSSH_GATETIME=0 autossh -M 0 -o ServerAliveInterval=5 -o ServerAliveCountMax=1 YOUR_SERVER_NAME_OR_IP</code> | + | * Loop waiting to connect to server: <code>AUTOSSH_POLL=5 AUTOSSH_GATETIME=0 [[autossh]] -M 0 -o ServerAliveInterval=5 -o ServerAliveCountMax=1 YOUR_SERVER_NAME_OR_IP</code> |
Ssh clients in Linux are frequently executed inside a terminal or using any kind of terminal multiplexer such as <code>[[tmux]]</code> or <code>[[screen]]</code>. | Ssh clients in Linux are frequently executed inside a terminal or using any kind of terminal multiplexer such as <code>[[tmux]]</code> or <code>[[screen]]</code>. | ||
Line 28: | Line 32: | ||
== Activities == | == Activities == | ||
=== Basic === | === Basic === | ||
− | * ''Convert a | + | * Install OpenSSH: <code>[[apt install]] openssh-server</code> |
+ | * ''Convert a [[PuTTY]] ssh key format to Openssh format'', you can follow the following instructions http://www.codeblocq.com/2016/05/Convert-a-putty-ppk-key-to-a-pem-file-on-OSX/, https://stackoverflow.com/questions/3475069/use-ppk-file-in-mac-terminal-to-connect-to-remote-connection-over-ssh | ||
* Open a reverse ssh tunnel, follow the following instructions https://www.howtoforge.com/reverse-ssh-tunneling | * Open a reverse ssh tunnel, follow the following instructions https://www.howtoforge.com/reverse-ssh-tunneling | ||
* [[Configure OpenSSH to reuse ssh connections]] (<code>ControlMaster</code>) | * [[Configure OpenSSH to reuse ssh connections]] (<code>ControlMaster</code>) | ||
− | * Generate a public Key from a private Key: <ref>https://serverfault.com/questions/52285/create-a-public-ssh-key-from-the-private-key</ref><code>[[ssh-keygen]] -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub</code> (example for RSA keys but can be applied to other key types) | + | * Generate a public Key from a private Key: <ref>https://serverfault.com/questions/52285/create-a-public-ssh-key-from-the-private-key</ref><code>[[ssh-keygen]] -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub</code> (example for [[RSA]] keys but can be applied to other key types) |
* [[Configure OpenSSH to allow Public-key authentication]] (<code>authorized_keys</code>)<ref>https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server</ref> | * [[Configure OpenSSH to allow Public-key authentication]] (<code>authorized_keys</code>)<ref>https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server</ref> | ||
− | * [[ | + | * [[Activate SSH on macOS]]: <code>sudo [[systemsetup]] -setremotelogin on</code> |
− | * Activate [[ | + | * [[Activate OpenSSH on Windows]] ([[Windows Server 2019]] or [[Windows 10]]):<ref>https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse</ref> |
− | |||
− | |||
=== Intermediate === | === Intermediate === | ||
Line 44: | Line 47: | ||
=== Advanced === | === Advanced === | ||
# Read ssh documentation about multiplexing https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing and its implementation details: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.mux?annotate=HEAD | # Read ssh documentation about multiplexing https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing and its implementation details: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.mux?annotate=HEAD | ||
− | # Configure ssh session multiplexing | + | # Configure ssh session [[multiplexing]] |
# Use <code>[[ProxyJump]]</code> directive to connect using a "Jump Server"<ref>https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Passing_Through_One_or_More_Gateways_Using_ProxyJump</ref> | # Use <code>[[ProxyJump]]</code> directive to connect using a "Jump Server"<ref>https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Passing_Through_One_or_More_Gateways_Using_ProxyJump</ref> | ||
# Run a shell script on a remote machine using ssh: <code>ssh root@MachineB 'bash -s' < local_script.sh</code><ref>https://stackoverflow.com/a/2732991</ref>. See also: [[parallel]] | # Run a shell script on a remote machine using ssh: <code>ssh root@MachineB 'bash -s' < local_script.sh</code><ref>https://stackoverflow.com/a/2732991</ref>. See also: [[parallel]] | ||
# Read https://github.com/openssh/openssh-portable source code | # Read https://github.com/openssh/openssh-portable source code | ||
# Read [[OpenSSH changelog]] | # Read [[OpenSSH changelog]] | ||
+ | |||
+ | == Related terms == | ||
+ | * [[MAC (message authentication code)]] | ||
+ | * [[Damien Miller]] | ||
+ | * [[Key Revocation Lists (KRL)]] | ||
+ | * [[AWS EC2 Instance Connect]] (Jun 2019) | ||
== See also == | == See also == | ||
Line 58: | Line 67: | ||
* [[openssl]] | * [[openssl]] | ||
* {{fail2ban}} | * {{fail2ban}} | ||
+ | * {{security}} | ||
{{CC license}} | {{CC license}} |
Latest revision as of 13:13, 20 October 2022
OpenSSH is a popular suite of software utilities implementing Secure Shell (SSH) protocol. OpenSSH includes the ability to set up a TCP secured channel and it is widely use as a replacement for not secured telnet and secure replacement of file transfers such as rcp and ftp. OpenSSH offers a great number of features including ssh session multiplexing. [1][2]
The OpenSSH suite includes the following command-line utilities and daemons:
ssh
, ssh client and TCP secure replacement forrlogin
,rsh
andtelnet
to allow shell access to a remote machine.scp
, a replacement forrcp
sftp
, a replacement forftp
to copy files between computerssshd
, the SSH server daemon which allows shell access and file transfers to a remote machine.ssh-keygen
, a tool to inspect and generate the RSA, DSA and Elliptic Curve keys that are used for user and host authenticationssh-keyscan
, which scans a list of hosts and collects their public keysssh-agent
andssh-add
, utilities to ease authentication by holding keys ready and avoid the need to enter passphrases every time they are usedssh-copy-id
, copy local keys to remote machine.
Contents
Readings[edit]
Config[edit]
- Client:
/etc/ssh/ssh_config
or~./config
- Server:
/etc/ssh/sshd_config
ssh clients[edit]
OpenSSH includes an ssh client:ssh
. Others clients are available such us PuTTY
, mosh
, paramiko
and autossh
[3].
autossh
[4] main feature not include in OpenSSH ssh client is the capability to monitor an ssh connection and restart it if necessary.
- Loop waiting to connect to server:
AUTOSSH_POLL=5 AUTOSSH_GATETIME=0 autossh -M 0 -o ServerAliveInterval=5 -o ServerAliveCountMax=1 YOUR_SERVER_NAME_OR_IP
Ssh clients in Linux are frequently executed inside a terminal or using any kind of terminal multiplexer such as tmux
or screen
.
Activities[edit]
Basic[edit]
- Install OpenSSH:
apt install openssh-server
- Convert a PuTTY ssh key format to Openssh format, you can follow the following instructions http://www.codeblocq.com/2016/05/Convert-a-putty-ppk-key-to-a-pem-file-on-OSX/, https://stackoverflow.com/questions/3475069/use-ppk-file-in-mac-terminal-to-connect-to-remote-connection-over-ssh
- Open a reverse ssh tunnel, follow the following instructions https://www.howtoforge.com/reverse-ssh-tunneling
- Configure OpenSSH to reuse ssh connections (
ControlMaster
) - Generate a public Key from a private Key: [5]
ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub
(example for RSA keys but can be applied to other key types) - Configure OpenSSH to allow Public-key authentication (
authorized_keys
)[6] - Activate SSH on macOS:
sudo systemsetup -setremotelogin on
- Activate OpenSSH on Windows (Windows Server 2019 or Windows 10):[7]
Intermediate[edit]
- Learn about different client connection options, such us:
-oBatchMode=yes
or-o ConnectTimeout=2
[8] - Connect to remote server temporarily turning off host key checking, (security implications):
ssh -oStrictHostKeyChecking=no SERVER_NAME
Advanced[edit]
- Read ssh documentation about multiplexing https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing and its implementation details: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.mux?annotate=HEAD
- Configure ssh session multiplexing
- Use
ProxyJump
directive to connect using a "Jump Server"[9] - Run a shell script on a remote machine using ssh:
ssh root@MachineB 'bash -s' < local_script.sh
[10]. See also: parallel - Read https://github.com/openssh/openssh-portable source code
- Read OpenSSH changelog
Related terms[edit]
- MAC (message authentication code)
- Damien Miller
- Key Revocation Lists (KRL)
- AWS EC2 Instance Connect (Jun 2019)
See also[edit]
- Telnet (deprecated use), netcat
- OpenSSH (changelog):
/etc/ssh/sshd_config
|/etc/ssh/ssh_config
|~/.ssh/
|openSSL | sshd logs
|sftp
|scp
|authorized_keys
|ssh-keygen
|ssh-keyscan
|ssh-add
|ssh-agent
|ssh
|Ssh -O stop
|ssh-copy-id
|CheckHostIP
|UseKeychain
, OpenSSF sslh
[11] Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)sshpass
(brew install http://git.io/sshpass.rb
)conch
client written in python- openssl
- Port knocking,
fail2ban
[12]fwknop
, DenyHosts - Security: Security portfolio, Security standards, Hardening, CVE, CWE, Wireless Network Hacking, vulnerability scanner, Security risk assessment, SCA, Application Security Testing, OWASP, Data leak, NIST, SANS, MITRE, Security policy, Access Control attacks, password policy, password cracking, Password manager, MFA, OTP, UTF, Firewall, DoS, Software bugs, MITM, Certified Ethical Hacker (CEH) Contents, Security+ Malware, FIPS, DLP, Network Access Control (NAC), VAPT, SIEM, EDR, SOC, pentest, PTaaS, Clickjacking, MobSF, Janus vulnerability, Back Orifice, Backdoor, CSO, CSPM, PoLP, forensic, encryption, Keylogger, Pwn2Own, CISO, Prototype pollution
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy.
Original source: https://en.wikiversity.org/wiki/OpenSSH
- ↑ https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing
- ↑ https://stackoverflow.com/questions/20410252/how-to-reuse-an-ssh-connection
- ↑ https://linux.die.net/man/1/autossh
- ↑ https://linux.die.net/man/1/autossh
- ↑ https://serverfault.com/questions/52285/create-a-public-ssh-key-from-the-private-key
- ↑ https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
- ↑ https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
- ↑ https://linux.die.net/man/1/ssh
- ↑ https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Passing_Through_One_or_More_Gateways_Using_ProxyJump
- ↑ https://stackoverflow.com/a/2732991
- ↑ https://github.com/yrutschle/sslh
- ↑ https://serverfault.com/a/608976
Advertising: